b0d75ca48a0ab3fb6df980186546748faf2105e23f974c89d38b69126201df3a

Analysis

max time kernel
169s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0d75ca48a0ab3fb6df980186546748faf2105e23f974c89d38b69126201df3a.exe
Size

205KB
MD5

ca167c2f9f14319eb8459753c46c9626
SHA1

af8e751638940efb8c25fa434efa58c260f39247
SHA256

b0d75ca48a0ab3fb6df980186546748faf2105e23f974c89d38b69126201df3a
SHA512

b06f05afdee97c693fc5668e4a0ebb4073dd285d6353895f6615a5998a553d27842f9acf135233a4b19c16d7d49830c3050319c34874e9bb79ee5b2bc4a2c38b
SSDEEP

3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAHUe7Zxz1tXNestE//yvljq1Gl+:WTfFDbRnOTrARtxz1lYsa/IjK9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4552	install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b0d75ca48a0ab3fb6df980186546748faf2105e23f974c89d38b69126201df3a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2380	4552	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4552	4776	b0d75ca48a0ab3fb6df980186546748faf2105e23f974c89d38b69126201df3a.exe	80
PID 4776 wrote to memory of 4552	4776	b0d75ca48a0ab3fb6df980186546748faf2105e23f974c89d38b69126201df3a.exe	80
PID 4776 wrote to memory of 4552	4776	b0d75ca48a0ab3fb6df980186546748faf2105e23f974c89d38b69126201df3a.exe	80

C:\Users\Admin\AppData\Local\Temp\b0d75ca48a0ab3fb6df980186546748faf2105e23f974c89d38b69126201df3a.exe
"C:\Users\Admin\AppData\Local\Temp\b0d75ca48a0ab3fb6df980186546748faf2105e23f974c89d38b69126201df3a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
  2⤵
  - Executes dropped EXE
  PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 232
    3⤵
    - Program crash
    PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4552 -ip 4552
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
312KB

MD5
df25ec47ff1cfb96c529b0041f8de7a3

SHA1
ac50a4e2c87b1bc1783862ce3aef901e84c7eeb4

SHA256
9b9747313aba7ffe74f85743956ae3c0a136bc306987c5b09fee661a8adb5d54

SHA512
2bb3dbb19115a5c9b0407c055ec15dcdb37fa8f62c39670a8428b65eb9531faf1eeb13b442206fc455009bc18a962f5f448ccb8f3590cace108a75e18e563cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
312KB

MD5
df25ec47ff1cfb96c529b0041f8de7a3

SHA1
ac50a4e2c87b1bc1783862ce3aef901e84c7eeb4

SHA256
9b9747313aba7ffe74f85743956ae3c0a136bc306987c5b09fee661a8adb5d54

SHA512
2bb3dbb19115a5c9b0407c055ec15dcdb37fa8f62c39670a8428b65eb9531faf1eeb13b442206fc455009bc18a962f5f448ccb8f3590cace108a75e18e563cbe

Download Submit
memory/4552-132-0x0000000000000000-mapping.dmp

Download